BCP38 Deployment

• Previous message (by thread): BCP38 Deployment
• Next message (by thread): BCP38 Deployment
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi David, Leo, Patrick and all,

Considering the reasons you raised, do you think the following two things
can happen?

1. Give BCP38 the only practical anti-spoofing technique, can an ISP well
protect its customers by implementing BCP38? I don't think so, because I
think BCP38 is accurate near the source but inaccurate near the
destination, i.e. if its customer is the target of spoofing attack, its
capability to filter is relatively low.

2. Even if ineffective near the destination, is an ISP willing to deploy it
if it becomes easy to adopt and risk-free (no false positive)?

Sorry for my stupid and naive questions.

best
Bingyang

On Wed, Mar 28, 2012 at 5:45 PM, David Conrad <drc at virtualized.org> wrote:

> Leo,
>
> On Mar 28, 2012, at 8:13 AM, Leo Bicknell wrote:
> >> #1) Money.
> >> #2) Laziness.
>
> > While Patrick is spot on, there is a third issue which is related
> > to money and laziness, but also has some unique aspects.
> >
> > BCP38 makes the assumption that the ISP does some "configuration"
> > to insure only properly sourced packets enter the network.  That
> > may have been true when BCP38 was written, but no longer accurately
> > reflects how networks are built and operated.
>
> An interesting assertion.  I haven't looked at how end-user networks are
> built recently.  I had assumed there continue to be customer aggregation
> points within ISP infrastructure in which BCP38-type filtering could occur.
>  You're saying this is no longer the case?  What has replaced it?
>
> > BCP38 needs
>
> > to be applied at the OEM level in equipment maufacturing, not at
> > the operational level with ISP's.
>
> I don't believe this is either/or.  I agree that BCP38 features should be
> turned on by default in CPE, however I believe it really needs to be
> enforced at the ISP level.
>
> > As long as folks keep beating on (consumer) ISPs to implement BCP38,
> nothing will happen.
>
>
> Optimist.
>
> Actually, given the uptick in spoofing-based DoS attacks, the ease in
> which such attacks can be generated, recent high profile targets of said
> attacks, and the full-on money pumping freakout about anything with
> "cyber-" tacked on the front, I suspect a likely outcome will be proposals
> for legislation forcing ISPs to do something like BCP38.
>
> Regards,
> -drc
>
>
>


-- 
Bingyang Liu
Network Architecture Lab, Network Center,Tsinghua Univ.
Beijing, China
Home Page: http://netarchlab.tsinghua.edu.cn/~liuby

• Previous message (by thread): BCP38 Deployment
• Next message (by thread): BCP38 Deployment
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]